Microsoftzilla

A browser with vulnerabilities that could lead to arbitrary code execution and cross-site scripting attacks. An urgent automatic update to patch eight such vulnerabilities, five of which are rated as critical and the complete set as ‘highly critical’ by security exploits tracker Secunia. And even then missing a password management vulnerability that has been known about since November which can exploit a reverse cross-site request to expose logins. The browser security supremo spinning the whole episode as ‘definitely a good thing’ proving that the client is ‘more secure.’

You might be forgiven for thinking it is the same old same old from Microsoft.

However, this is Mozilla Firefox we are talking about.

The eight vulnerabilities concerned are:

MFSA 2006-76 XSS using outer window's Function object

MFSA 2006-75 RSS Feed-preview referrer leak

MFSA 2006-73 Mozilla SVG Processing Remote Code Execution

MFSA 2006-72 XSS by setting img.src to javascript: URI

MFSA 2006-71 LiveConnect crash finalizing JS objects

MFSA 2006-70 Privilege escalation using watch point

MFSA 2006-69 CSS cursor image buffer overflow (Windows only)

MFSA 2006-68 Crashes with evidence of memory corruption

Continuing in the Mozilla becomes Microsoft mode, it’s also interesting to note that it has confirmed the rumors that official support for Firefox 1.5 will be discontinued as from 24th April 2007, or six months after the release of Firefox 2. If you have been slow in upgrading, at least you will now get a much more secure client than those of us who fall into the early adopter category. The trouble is, as with Microsoft applications, there will be less and less of us as the ripple effect of these security scares is felt.

Once upon a time Mozilla had a reputation for being the most secure of developers, with clients that had been properly tested and were solid on release. Unfortunately, I no longer feel confident that this remains the case. Certainly I would advise my consultancy clients not to upgrade for 3 months to give Mozilla a chance to iron out the vulnerabilities and patch the client to an acceptably safe standard.

Perhaps inevitably, methinks the Firefox fairytale does not have a happy ending...

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to Forbes.com, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...

they may have had the reputation but that reputation was never backed up by facts.

As to Opera, as with Mozilla in the past you hear little about it because so few people use it.
As a result few exploits are ever attempted against it and thus it doesn't make headlines.
They don't AFAIK publish any data on holes they discover themselves, so that can't be used as a criterion either.

I never saw Firefox as 'secure', Just different. The more popular something is the less secure it is, and if it can be made, it can be compromised.

If you want extreme security, disable all cookies, disable all Javascript, stay out of forums and places where 'members' can post images and links, set a spam filter to redirect ALL mail to trash, and then tie both your arms behind your back.

hmm, could be overkill. Easier to encase the thing in a block of steel reinforced concrete with a meter's worth of concrete on all sides, lock that in a watertight steel chamber with walls 20cm thick, and sink the thing into an ocean trench.

but seriously... the only time my computer's ever been 'compromised' is where i've been in unsanitary places : the only viriiI i've ever got have been from P2Ps and crack downloads. I dunno whos watching me, and I'm not really that bothered. I'm poor and generally law-abiding.

I think alot of the security hype is to sell third party firewalls and scanners and detectors..

The problem with anything third party is just that. It's effectively acting on the same level as a virus would; I would welcome Microsoft integrating fast good security at a very low level in Windows (even a 'real' administrator/user priviledge setup would be nice). Any "secure" browser or protective measure on Windows is like putting a deadlocked steel door on a cardboard box...

Not really. Any OS has holes which can be exploited if you know how and care to.
Singling out Windows is not only unfair, it's dangerous as people start to think that the very act of installing something else will suddenly give them a completely secure system.

Any security though starts at the front door. If you install a decent firewall you keep most of the crap out the door (attacks trying to find open ports for example) and prevent most of the rest from dialing out if it does get in.

Instead of your analogy of a deadlocked foor on a cardboard box a better analogy would be that NOT having your system secured by firewalls and AV software is like having a jewelry store and leaving the doors and windows wide open when you leave at night and refusing to invest in alarm systems and guards because you believe in the general goodness of people and don't think anyone will ever steal from you.

hmm... well my pc is definately more reminiscent of a cardboard box than a jewelry store.

if I worked on top secret technology, if i was a hacker myself, or if I'm talking about corporate computer systems, my views wouldn't be the same.

but, as I use my personal computers for developing open-source software, listening to music, and chatting on forums, and I DO believe in the general goodness of people... I'm not all that concerned.

the average home user has security software shoved down their throat when buying a new PC... it has its place, for sure; but bullet-proof software is less important than making the right decisions in how you use it.

Windows home versions are pretty terrible in that any user has pretty much got permission to access and modify everything on the system. It doesn't matter if a browser object escapes its confines if it can't do anything.

No browser can protect against certain cross-site attacks.. and it's not the responsibility of browser vendors.

I think in general, Firefox is more secure than most. I feel 'safer' using Firefox than IE for sure. But then, I feel safer using Linux than Windows, and even safer just using a Gameboy instead.

You FEEL safer using Linux than Windows, but you're not and that's the problem.

The incidence (as percentage of installed base) of successful intrusion attempts against Linux boxes is far higher than that of successful intrusion attempts against Windows boxes.
That's because most Linux boxes are installed wide open by default, and are running a lot of unneeded and potentially dangerous applications like SendMail and Apache without their owners even knowing it.
They think there's nothing to fear because they're not using Windows (they're believing the hype/hoax/lies), and often don't keep up with security and other updates (which is why Windows now comes with automatic updates turned on by default).
As Sendmail especially (but Apache in many versions as well, and X too) is as leaky as a sieve, these systems are easy prey for crackers.
The reasons you don't hear a lot of outcry is because many of the low overall volume, and because a lot of those machines are run by companies who don't want the negative publicity.

I do agree that MS make a good effort with patches, and I don't really understand the problem people have, along lines of "Microsoft just released a new patch, that means their software sucks", or even "Microsoft have stopped support for Windows 3, what swines" it's natural development to keep 'adding' to a system when things don't go quite as planned, and re-releases are better than endless patches in the long run.

With regard to feeling safe. My computer doesn't function as a webserver, (but I use Apache locally and bring it up and down when I need it), and my computer gets its Internet connection through a (firewalled) Windows laptop connected peer-to-peer with this one, which makes it somewhat difficult to address this one directly. I feel safe because I know how difficult it would be for anyone to A. attack this PC, or B. get anything useful from it.

On Windows using IE 6 though, it doesn't matter what firewall you have if you hit a browser-object-gone-mad. I got a virus delivered by a script executed in a WMF file in Internet Explorer, and that was with AV and a firewall active.

I'm usually more worried about virus damage than cracker damage to be honest. There's always a question about the goodness of human nature in their immediate present, there's no question with a bit of mad script they wrote while in a in a bad mood and left all over the web.